feat: support custom upsteam ca cert (#340)

* feat(main.go, routes.go): custom upsteam ca cert

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(main.go): missig )

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(routes.go): import os

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(routes.go): fix otp to opt

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(main.go): fix misspell

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(routes.go): lint errorf not capitalized

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(routes.go) fix error

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(routes.go): struct spaces

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(routes.go): logger spaces

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix remove white spaces

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* remove white spaces

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(main.go): fix upstream ca path description

Co-authored-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Yuval dekel <153660450+yuvaldekel@users.noreply.github.com>

* fix(routes.go): remove redundant new line

Co-authored-by: Simon Pasquier <spasquie@redhat.com>
Signed-off-by: Yuval dekel <153660450+yuvaldekel@users.noreply.github.com>

* fix align

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(routes.go): init TLSClientConfig

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* fix(routes.go): remove transport from struct

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

* define transport

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>

---------

Signed-off-by: Yuval Dekel <yuvddd05@gmail.com>
Signed-off-by: Yuval dekel <153660450+yuvaldekel@users.noreply.github.com>
Co-authored-by: Simon Pasquier <spasquie@redhat.com>

Author: yuvaldekel

injectproxy/routes.go

@@ -16,6 +16,7 @@ package injectproxy
 import (
 	"context"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -24,6 +25,7 @@ import (
 	"net/http"
 	"net/http/httputil"
 	"net/url"
+	"os"
 	"regexp"
 	"slices"
 	"sort"
@@ -57,6 +59,7 @@ type routes struct {
 }
 
 type options struct {
+	upstreamCaCert           string
 	enableLabelAPIs          bool
 	passthroughPaths         []string
 	insecureSkipVerify       bool
@@ -84,6 +87,13 @@ func WithPrometheusRegistry(reg prometheus.Registerer) Option {
 	})
 }
 
+// WithUpstreamCaCert configures the proxy to use the custom ca certificate for the upstream.
+func WithUpstreamCaCert(caCert string) Option {
+	return optionFunc(func(o *options) {
+		o.upstreamCaCert = caCert
+	})
+}
+
 // WithEnabledLabelsAPI enables proxying to labels API. If false, "501 Not implemented" will be return for those.
 func WithEnabledLabelsAPI() Option {
 	return optionFunc(func(o *options) {
@@ -419,13 +429,26 @@ func NewRoutes(upstream *url.URL, label string, extractLabeler ExtractLabeler, o
 	}
 
 	// Configure tls for proxy
-	tlsConfig := &tls.Config{}
-	tlsConfig.InsecureSkipVerify = opt.insecureSkipVerify
+	transport := http.DefaultTransport.(*http.Transport).Clone()
+	transport.TLSClientConfig = &tls.Config{
+		InsecureSkipVerify: opt.insecureSkipVerify,
+	}
+
+	if opt.upstreamCaCert != "" {
+		caCert, err := os.ReadFile(opt.upstreamCaCert)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read CA certificate: %v", err)
+		}
+
+		caCertPool := x509.NewCertPool()
+		if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
+			return nil, fmt.Errorf("failed to append CA cert to pool")
+		}
 
-	proxy.Transport = &http.Transport{
-		TLSClientConfig: tlsConfig,
+		transport.TLSClientConfig.RootCAs = caCertPool
 	}
 
+	proxy.Transport = transport
 	proxy.ModifyResponse = r.ModifyResponse
 	proxy.ErrorHandler = r.errorHandler
 	proxy.ErrorLog = log.Default()

main.go

@@ -59,6 +59,7 @@ func main() {
 		insecureListenAddress           string
 		internalListenAddress           string
 		upstream                        string
+		upstreamCaCert                  string
 		queryParam                      string
 		headerName                      string
 		label                           string
@@ -78,9 +79,10 @@ func main() {
 	flagset := flag.NewFlagSet(os.Args[0], flag.ExitOnError)
 	flagset.StringVar(&insecureListenAddress, "insecure-listen-address", "", "The address the prom-label-proxy HTTP server should listen on.")
 	flagset.StringVar(&internalListenAddress, "internal-listen-address", "", "The address the internal prom-label-proxy HTTP server should listen on to expose metrics about itself.")
-	flagset.StringVar(&queryParam, "query-param", "", "Name of the HTTP parameter that contains the tenant value.At most one of -query-param, -header-name and -label-value should be given. If the flag isn't defined and neither -header-name nor -label-value is set, it will default to the value of the -label flag.")
+	flagset.StringVar(&queryParam, "query-param", "", "Name of the HTTP parameter that contains the tenant value. At most one of -query-param, -header-name and -label-value should be given. If the flag isn't defined and neither -header-name nor -label-value is set, it will default to the value of the -label flag.")
 	flagset.StringVar(&headerName, "header-name", "", "Name of the HTTP header name that contains the tenant value. At most one of -query-param, -header-name and -label-value should be given.")
 	flagset.StringVar(&upstream, "upstream", "", "The upstream URL to proxy to.")
+	flagset.StringVar(&upstreamCaCert, "upstream-ca-cert", "", "The upstream ca certificate file.")
 	flagset.StringVar(&label, "label", "", "The label name to enforce in all proxied PromQL queries.")
 	flagset.Var(&labelValues, "label-value", "A fixed label value to enforce in all proxied PromQL queries. At most one of -query-param, -header-name and -label-value should be given. It can be repeated in which case the proxy will enforce the union of values.")
 	flagset.BoolVar(&enableLabelAPIs, "enable-label-apis", false, "When specified proxy allows to inject label to label APIs like /api/v1/labels and /api/v1/label/<name>/values. "+
@@ -132,6 +134,10 @@ func main() {
 	)
 
 	opts := []injectproxy.Option{injectproxy.WithPrometheusRegistry(reg)}
+	if upstreamCaCert != "" {
+		opts = append(opts, injectproxy.WithUpstreamCaCert(upstreamCaCert))
+	}
+
 	if enableLabelAPIs {
 		opts = append(opts, injectproxy.WithEnabledLabelsAPI())
 	}